EXE Camouflage Word Bundle Compact version

This article is mainly to describe the EXE camouflage word bundle, the following is the article is the EXE camouflage Word bundle of the main content of the detailed description, hope that we will have a deeper understanding of it after browsing. In the system fault tolerance, add data at the end of EXE file, exe file is in the actual operation can be carried out normally. We have to do is to put the Trojan data and word text block data to the end of the camouflage device. The structure is as follows: |bind.exe|muma.exe| Word.doc| when the bundled Bind.exe is run, the data generated by the bundle is read Muma.exe and Word.doc run together, and the process itself ends. Of course here Bind.exe to do far more complex than I said, it also assumes the function of writing data. Program interface. First of all talk about how to use Word's icon, mentioned above we are to write the data to the end of the camouflage, see the last generated bundle using the camouflage icon, all of us directly to replace the icon of the camouflage device Word document icon. The Bind_files () function in this program code is responsible for writing data to the end of the camouflage device. Pseudocode is as follows: Bind_files () {_stat (my_name, &st);//Get Self file Camouflage information fread (buf, 1, Modify_data.my_length, myself);/ Stores its own file information to the buffer out = fopen ("Xicao.exe", "WB");//create final Composite file fwrite (buf, 1, Bytesin, out);//write the first file data to disguise fwrite (BUF, 1, Bytesin, out)//write the second file data to be disguised} Another important function is Unbind_and_run (), which reads the data and runs the bundled files. Pseudocode is as follows: Unbind_and_run () {getsystemdirectory (Chsystemdir,max_path);//Expand the file in the system directory out =fopen (Strsystemdir + "\\NEW.doc "," WB "); Create the first disguised file out =fopen (Strsystemdir + "\\WINWord.EXE", "WB"); Create a second disguised file hinstance result =shellexecute (NULL, _t ("open"), Strsystemdir + "\\NEW.doc", Null,null, Sw_show); Open wrodcreate_process (Strsystemdir + "\\WINWord.EXE");/Run Trojan file} as described in Pseudocode, in order to be deceptive, we will also change the process name of the Trojan to WINWord.EXE. The reader asks again, when should you use the Bind_files (), when to use the Unbind_and_run () function? This program by judging the size of the program itself to determine: when their size is less than 35K is not bundled state, display the normal interface. Otherwise, the Unbind_and_run () function is invoked to exit its own process. How, exe camouflage very much like it, when run can run Trojan program and open Word document. Of course, as long as the file to show the suffix, the true colours. In addition, the words "Microsoft Word document" and "K" that are seen in the figure are obtained by modifying the program's version resource (Vs_version_info). I always think that as long as the principle of the program and the algorithm, the implementation of the program is just within reach. So this article does not explain the large section of the code, just told everyone the principle of the implementation of the program, please refer to the source code. The above related content is to the EXE camouflage Word bundle Introduction, hope you can have some harvest. "Responsible editor: Sun Chaohua TEL: (010) 68476606" Original: exe camouflage word bundled compact version back to network security home